The Hacker News — Cyber Security, Hacking, Technology News

A critical vulnerability discovered in the Chrome and Firefox browser extension of the grammar-checking software Grammarly inadvertently left all 22 million users' accounts, including their personal documents and records, vulnerable to remote hackers.

According to Google Project Zero researcher Tavis Ormandy, who discovered the vulnerability on February 2, the Chrome and Firefox extension of Grammarly exposed authentication tokens to all websites that could be grabbed by remote attackers with just 4 lines of JavaScript code.

In other words, any website a Grammarly user visits could steal his/her authentication tokens, which is enough to login into the user's account and access every "documents, history, logs, and all other data" without permission.

"I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations," Ormandy said in a vulnerability report. "Users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites."

Ormandy has also provided a proof-of-concept (PoC) exploit, which explains how one can easily trigger this serious bug to steal Grammarly user's access token with just four lines of code.

This high-severity flaw was discovered on Friday and fixed early Monday morning by the Grammarly team, which, according to the researcher, is "a really impressive response time" for addressing such bugs.

Security updates are now available for both Chrome and Firefox browser extensions, which should get automatically updated without requiring any action by Grammarly users.

A Grammarly spokesperson also told in an email that the company has no evidence of users being compromised by this vulnerability.

"Grammarly resolved a security bug reported by Google's Project Zero security researcher, Tavis Ormandy, within hours of its discovery. At this time, Grammarly has no evidence that any user information was compromised by this issue," the spokesperson said.

"We're continuing to monitor actively for any unusual activity. The security issue potentially affected text saved in the Grammarly Editor. This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension. The bug is fixed, and there is no action required by Grammarly users."

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim's computer.

Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world. The extension has roughly 20 million active users.

Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension.

To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed.

Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system.

"I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them," Ormandy said. "This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well."

Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though "there are no workarounds that address this vulnerability."

A critical vulnerability resides in the fully-patched version of the Mozilla's Firefox browser that could allow well-resourced attackers to launch man-in-the-middle (MITM) impersonation attacks and also affects the Tor anonymity network.

The Tor Project patched the issue in the browser's HTTPS certificate pinning system on Friday with the release of its Tor Browser version 6.0.5, while Mozilla still has to patch the critical flaw in Firefox.

Attackers can deliver Fake Tor and Firefox Add-on Updates

The vulnerability could allow a man-in-the-middle attacker who is able to obtain a forged certificate for addons.mozilla.org to impersonate Mozilla servers and as a result, deliver a malicious update for NoScript, HTTPS Everywhere or other Firefox extensions installed on a targeted computer.

"This could lead to arbitrary code execution [vulnerability]," Tor officials warned in an advisory. "Moreover, other built-in certificate pinnings are affected as well."

Although it would be challenging to obtain a fraudulent certificate for addons.mozilla.org from any one of several hundred Firefox-trusted certificate authorities (CAs), it is within reach of powerful nation states attackers.

The vulnerability was initially discovered Tuesday by a security expert that goes by the name of @movrcx, who described the attacks against Tor, estimating attackers would need US$100,000 to launch the multi-platform attacks.

Actual Issue resides in Firefox's Certificate Pinning Procedure

However, according to a report posted Thursday by independent security researcher Ryan Duff, this issue also affects Firefox stable versions, although a nightly build version rolled out on September 4 is not susceptible.

Duff said the actual problem resides in Firefox's custom method for handling "Certificate Pinning," which is different from the IETF-approved HPKP (HTTP Public Key Pinning) standard.

Certificate Pinning is an HTTPS feature that makes sure the user's browser accepts only a specific certificate key for a particular domain or subdomain and rejects all others, preventing the user from being a victim of an attack made by spoofing the SSL certs.

While not very popular, HPKP standard is often used on websites that handle sensitive information.

"Firefox uses its own static key pinning method for its own Mozilla certifications instead of using HPKP," says Duff. "The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is bypassable in this attack scenario."

Mozilla is scheduled to release Firefox 49 on September 20, so the team has enough time to deliver a fix. The Tor Project took just one day to address the flaw after the bug's disclosure went online.

Users of Tor Browser should update to version 6.0.5, while Firefox users should disable automatic add-on updates, a default feature in the browser, or should consider using a different browser until Mozilla releases the update.

Server-side Vulnerabilities have been reported by a security researcher in the popular Pocket add-on that comes attached with the Firefox browser.

The security flaws could have allowed hackers to exfiltrate data from the company’s servers as well as populate reading lists with malicious links.

The Pocket button in the Firefox browser allows you to save links, videos, web pages, or articles to your Pocket account with just a click, making it easier for you to read them later, usually offline.

However, the vulnerabilities discovered by security researcher Clint Ruoho was such that it could allow hackers to get an unrestricted root access to the server hosting the application, the researcher wrote in his blog post.

For this to be done, a hacker only needs:

A browser

The Pocket Mobile app

Access to an Amazon EC2 Server which costs 2 cents an hour

The researcher, with the goal of exploiting the service's main functionality, was able to add a server internal address in the 'Read it Later' user list.

This could give an attacker access to the following sensitive server information:

IAM credentials

The server's internal IP address

Network type

The SSH Private Key that is being needed to connect without password

With the help of this information, it would be possible to gain unrestricted access, allowing hackers to read every file on the filesystem with root-level privileges on the back-end server.

Ruoho reported Read It Later, which owns Pocket, about the vulnerabilities he found and asked for a patch.

In response to the issues, the company issued a quick remediation and asked Ruoho to delay his full exposure of the vulnerabilities report by 21 days.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

The Mozilla Firefox web browser is used by roughly 30% of all Internet users and the company is seriously concerned about the Security of its users for many years.

To Improve the Stability, Security and performance of Firefox web browser, Mozilla announced back in 2013 that it planned to enable ‘Click to Play’ feature in upcoming Firefox versions, which will block most vulnerable plugins like Java by default.

The Feature 'Click to play' blocks the execution of all plugins automatically, though this feature was annoying to the users, so to prevent all plugins from default blocking, Mozilla announced to maintain a whitelist of approved plugins.

"By allowing users to decide which sites need to use plugins, Firefox will help protect them and keep their browser running smoothly." ~Benjamin Smedberg, Engineering Manager.

Plugin authors can apply for inclusion in a whitelist. The developer has to submit their plugins using a template to Bugzilla and the application submitted till 31st March, 2014 will be reviewed by the Mozilla.

The Firefox web browser will only start blocking by default, no sooner than Firefox 30. If accepted, the plugin will be whitelisted for next 4 Firefox releases i.e. 30 weeks (6 weeks in beta version and 24 weeks in the general release channel), with the possibility to apply for a further extension later.

'Adobe Flash' is included in the whitelist by Mozilla, 'security and plugin teams work closely with Adobe to make sure that Firefox users are protected from instability or security issues in the Flash plugin', the company said; However, 'Java' plugin is excluded from the whitelist because of its continues security problems and slow performance.

Most widely used web browser Google Chrome is also working in this direction and last January it has blocked all NPAPI plugins except Silverlight, Unity, Google Earth, and Facebook Video.